This contains 3 proposed commits:
- Remove the unused sch parameter to syncache_respond().
- Access the syncache secret directly from the V_tcp_syncache variable, rather than indirectly through the backpointer to the tcp_syncache structure stored in the hashtable bucket.
This also allows us to remove the requirement in syncookie_generate()
and syncookie_lookup() that the syncache hashtable bucket must be
- Add new functionality to switch to using cookies exclusively when we are under attack. This code uses an overflow of a SYN cache hash bucket as a heuristic to detect an attack. When an attack is detected, the code falls back to using SYN cookies only for 15 seconds. If the attack continues, the fall back time is increased exponentially until it reaches a maximum (16 minutes). When an attack is detected, the code logs a message so the user can decide whether any action is necessary.